Enno Rey wrote: > Hi, > >> Per Interface Config >> >> no ip redirects >> no ip unreachables > > personally, I don't like those two. what's wrong about a router _sending_ > icmp redirects or (even more important/useful) icmp unreachables? > keep in mind those commands are not about accepting those (but, as said: > sending them).
To more explicitly say what everyone was dancing around, ICMPs are classified as "receive" packets which can only be processed switched. This leaves a wide open avenue for resource exhaustion attacks. ICMP can be very useful for troubleshooting and diagnostics. It is also an extremely easy and effective method with which to DoS SPs. I don't agree with blocking it outright, even at the Interner borders, but I do agree that much of it can be used maliciously and that it should be controlled. Deny ICMP frags explicitly (otherwise you'll endure 2 CPU interrupts). Permit echo requests and replies to your access edges. Permit packet-too-big (for PMTU) and time-exceeded (traceroutes). Then rate-limit it down to a reasonable number. On your routing devices disable/prevent all unnecessary ICMP services and responses. Rate-limit all necessary responses to a reasonable level. Good info on how to accomplish all of this can be had in "Router Security Strategies" Cisco Press book and many other resources. Justin _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
